1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

579 Commits

Author SHA1 Message Date
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Stefan Metzmacher
e039e9b0d2 s3:cliconnect.c: remove useless ';'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 23:15:16 +01:00
Stefan Metzmacher
0786a65cab s3:libsmb: allow -U"\\administrator" to work
cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 23:15:16 +01:00
Gary Lockyer
d11473b15d source3: remove sock_exec
Remove the sock_exec code which is no longer needed and additionally has been
used by exploit code.

This was originally test support code, the tests relying on the sock_exec
code have been removed.

Past exploits have used sock_exec as a proxy for system() matching a talloc
destructor prototype.

See for example:
Exploit for Samba vulnerabilty (CVE-2015-0240) at
    https://gist.github.com/worawit/051e881fc94fe4a49295
    and the Red Hat post at
    https://access.redhat.com/blogs/766093/posts/1976553

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 20 07:20:13 CET 2017 on sn-devel-144
2017-11-20 07:20:13 +01:00
Andreas Schneider
6d7681c73d s3:libsmb: Print the kinit failed message with DBGLVL_NOTICE
The default debug level of smbclient is set to 'log level = 1'. So we
need to use at least NOTICE to not get the message when we do not force
kerberos.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 24 17:22:18 CEST 2017 on sn-devel-144
2017-08-24 17:22:18 +02:00
Stefan Metzmacher
0f9d102460 s3:libsmb: let get_ipc_connect() use CLI_FULL_CONNECTION_FORCE_SMB1
get_ipc_connect() is only used in code paths that require cli_NetServerEnum()
to work, so it must already require SMB1 only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12876

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-08-19 01:41:24 +02:00
Stefan Metzmacher
0a81af6824 s3:libsmb: add CLI_FULL_CONNECTION_DISABLE_SMB1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-22 13:07:41 +02:00
Stefan Metzmacher
5a05b0b169 s3:libsmb: add CLI_FULL_CONNECTION_FORCE_SMB1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-22 13:07:40 +02:00
Stefan Metzmacher
8c4cef218a s3:libsmb: no longer pass remote_realm to cli_state_create()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-22 13:07:40 +02:00
Jeremy Allison
50f50256aa s3: libsmb: Correctly do lifecycle management on cli->smb1.tcon and cli->smb2.tcon.
Treat them identically. Create them on demand after for a tcon call,
and delete them on a tdis call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-06-17 06:39:20 +02:00
Stefan Metzmacher
e0069bd2a4 s3:libsmb: add cli_state_update_after_sesssetup() helper function
This function updates cli->server_{os,type,domain} to valid values
after a session setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-09 13:00:12 +02:00
Andreas Schneider
d18379fa00 Revert "s3:libsmb: Fix printing the session setup information"
This reverts commit b6f87af427.

A different fix will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-09 13:00:11 +02:00
Andreas Schneider
b6f87af427 s3:libsmb: Fix printing the session setup information
This fixes a regression and prints the session setup on connect again:

Domain=[SAMBA-TEST] OS=[Windows 6.1] Server=[Samba 4.7.0pre1-DEVELOPERBUILD]
smb: \>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-07 05:15:16 +02:00
Stefan Metzmacher
f4424579a0 s3:libsmb: don't rely on gensec_session_key() to work on an unfinished authentication
If smbXcli_session_is_guest() returns true, we should handle the authentication
as anonymous and don't touch the gensec context anymore.

Note that smbXcli_session_is_guest() always returns false, if signing is
required!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:08 +02:00
Andreas Schneider
c0e196b223 s3:libsmb: Only print error message if kerberos use is forced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
2017-03-21 14:25:54 +01:00
Ralph Boehme
8cbdc6a6df libcli/smb: add max_credits arg to smbXcli_negprot_send()
This allows source4/torture code to set the option for tests by
preparing a struct smbcli_options with max_credits set to some value and
pass that to a torture_smb2_connection_ext().

This will be used in subsequent smbtorture test for SMB2 creditting.

Behaviour of existing upper layers is unchanged, they simply pass the
wanted max credits value to smbXcli_negprot_send() instead of
retrofitting it with a call to smb2cli_conn_set_max_credits().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-03 21:55:27 +01:00
Stefan Metzmacher
5c7523890d s3:libsmb: use a local got_kerberos_mechanism variable in cli_session_creds_prepare_krb5()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-27 08:09:15 +01:00
Stefan Metzmacher
f7d249da4e s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send()
Also old servers should be able to handle NTLMSSP via SPNEGO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144
2016-12-21 22:21:08 +01:00
Stefan Metzmacher
12212363bf s3:libsmb: remove now unused cli_session_setup()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-21 18:35:13 +01:00
Stefan Metzmacher
b9b0815d0f s3:libsmb: add cli_smb1_setup_encryption*() functions
This will allow us to setup SMB1 encryption by just passing
cli_credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-21 18:35:12 +01:00
Stefan Metzmacher
cb83be2f01 s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Stefan Metzmacher
a579151ee7 s3:libsmb: split out a cli_session_creds_prepare_krb5() function
This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.

In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Stefan Metzmacher
5ca59a1772 s3:libsmb: don't pass 'passlen' to cli_tree_connect[_send]() and allow pass=NULL
There're no callers which try to pass a raw lm_response directly anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  9 13:09:37 CET 2016 on sn-devel-144
2016-12-09 13:09:37 +01:00
Stefan Metzmacher
bae607af36 s3:libsmb: add cli_tree_connect_creds()
This can be used with a valid creds structure in order
to do a share level authentication or with NULL in the cases
we assume a modern server already.

Later we can change the ordering and implement
cli_tree_connect() on top of cli_tree_connect_creds().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
d0d17cdb77 s3:libsmb: fix 'client lanman auth = no' DEBUG message in cli_session_setup_creds_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
bf520b70ab s3:libsmb: restructure cli_full_connection_creds* flow
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  2 17:32:26 CET 2016 on sn-devel-144
2016-12-02 17:32:26 +01:00
Stefan Metzmacher
3c67855c2b s3:libsmb: change cli_full_connection_send/recv into cli_full_connection_creds_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-02 13:46:11 +01:00
Stefan Metzmacher
dafab66481 s3:libsmb: make cli_session_creds_init() non-static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:29 +01:00
Stefan Metzmacher
f49b9ada60 s3:libsmb: add cli_session_setup_anon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:29 +01:00
Stefan Metzmacher
3a14eec09e s3:libsmb: change cli_session_setup_send/recv into cli_session_setup_creds_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:28 +01:00
Stefan Metzmacher
32438b7cec s3:libsmb: move domain\\username magic to cli_session_creds_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:28 +01:00
Stefan Metzmacher
fb13eeecea s3:libsmb: get the plaintext and NTLM authentication details out of cli_credentials
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:28 +01:00
Stefan Metzmacher
b64b24a493 s3:libsmb: move cli_session_creds_init() to cli_session_setup_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:28 +01:00
Stefan Metzmacher
8a4f76e060 s3:libsmb: move cli_session_setup_get_account into cli_session_creds_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:28 +01:00
Stefan Metzmacher
f4cfff3669 s3:libsmb: pass cli_credentials to cli_session_setup_gensec_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:28 +01:00
Andreas Schneider
da5e12efa8 s3:libsmb: split out a cli_session_creds_init() function
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
a460e6beef s3:libsmb: pass the optional dest_realm via the cli_credentials
'dest_realm' is only valid in the winbindd use case, where we also have
the account in that realm.

We need to ask the DC to which KDC the principal belongs to, in order to
get the potential trust referrals right.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
75b68d0360 s3:libsmb: let gensec handle the fallback from krb5 to ntlmssp
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
7512eb5dfb s3:libsmb: remove target_principal argument from cli_session_setup_gensec_send()
It's enough to pass down target_service and target_hostname, that's all we
have at the smb layer. The kerberos layer should figure out what
the final target_principals is based on the users realm.

The gse_krb5 backend doesn't use it currently, so it's also unused.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
721b823762 s3:libsmb: always pass the servers gss blob to gensec
The spnego backend will take the "client use spnego principal" option.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
c758df6b4a s3:libsmb: remove unused cli_session_setup_{lanman2,plain,nt1}*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
a54d250e09 s3:libsmb: make use of smb1cli_session_setup_{nt1,lm21}_send/recv()
This separates the construction of the ASCII-Password (lm_response)
and UNICODE-Password (nt_response) values from the marshalling logic.

We don't need the NT1 marshalling logic 3 times (guest, plain, nt1),
we just need it once now in smb1cli_session_setup_nt1*.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
9fffec8803 s3:libsmb: make use of smb1cli_session_setup_ext_send/recv()
This separates the spnego authentication logic from the
marshalling logic.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Andreas Schneider
5b8ed5009b s3:libsmb: handle the spnego as a first action in cli_session_setup_send()
This will make further restructuring easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
cb10628a72 s3:libsmb: add some comments to the noop case for < PROTOCOL_LANMAN1 in cli_session_setup_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:27 +01:00
Stefan Metzmacher
482d3b35e9 s3:libsmb: let the callers only pass the password string to cli_session_setup[_send]()
There're no callers which tried to pass raw {lm,nt}_response any more.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:26 +01:00
Stefan Metzmacher
87c3ff0f3b s3:libsmb: make use of get_cmdline_auth_info_* helper functions in get_ipc_connect()
We should avoid to dereference struct user_auth_info.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-21 20:44:23 +02:00
Andreas Schneider
2454374309 krb5_wrap: Rename kerberos_get_principal_from_service_hostname()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:16 +02:00
Jeremy Allison
79c8b75671 s3: libsmb: Add uint16_t addtional_flags2 to cli_smb_req_create().
Not yet used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12165

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-08-19 20:03:12 +02:00
Jeremy Allison
a876f915fd s3: libsmb: Add uint16_t additional_flags2 arg to cli_smb_send().
Not yet used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12165

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-08-19 20:03:11 +02:00